Defining and communicating Board’s Information Risk Management Regime is central to organisation’s overall cyber strategy. CESG recommend to review this regime – together with the nine associated security areas described below in order to protect your business against the majority of cyber threats.

Information Risk Management Regime

Establish a governance framework: Enable and support risk management across the organisation.

Determine your risk appetite: Decide on the level of risk the organisation is prepared to tolerate and communicate it.

Maintain the Board’s engagement with cyber risk: Make cyber risk a regular agenda item. Record cyber risks in the corporate risk register to ensure senior ownership.

Produce supporting risk management policies: An overarching corporate security policy should be produced together with an information risk management policy.

Adopt a lifecycle approach: Risk management is a whole life process and the organisation’s policies and processes should support and enable this.

Secure configuration

Apply security patches and ensure that the secure configuration of all ICT systems is maintained.

Create a system inventory and define a baseline build for all ICT devices.

Develop corporate policies to update and patch systems: Establish and maintain policies that set out the priority and timescales for applying updates and patches. Create and maintain hardware and software inventories: Use automated tools to create and maintain inventories of every device and application used by the organisation.

Managing user privileges

Establish account management processes and limit the number of privileged accounts.

Limit user privileges and monitor user activity: Minimise privileges for all users. Provide administrators with normal accounts for business use. Review the requirement for a privileged account more frequently than standard accounts.

Maintain user awareness of the threats: All users should receive regular refresher training on the cyber risks to the organisation.

Support the formal assessment of IA skills: Encourage relevant staff to develop and formally validate their IA Skills.

Incident management

Produce and test incident management plans.

Provide specialist training to the incident management team: The incident response team should receive specialist training to ensure they have the skills and expertise to address the range of incidents that may occur.

Report criminal incidents to law enforcement.

Obtain senior management approval and backing: The Board should lead on the delivery of the incident management plans.

Malware prevention

Produce relevant policy and establish antimalware defences that are applicable and relevant to all business areas.

Develop and publish corporate policies: Produce policies to manage the risks to the business processes from malware.

Establish anti malware defences across the organisation: Agree a corporate approach to managing the risks from malware for each business area.

Scan for malware across the organisation: Protect all host and client machines with anti virus solutions that will automatically scan for malware.

Monitoring ICT systems and traffic

Establish an incident response and disaster recovery capability.

Produce and test incident management plans.

Provide specialist training to the incident management team.

Report criminal incidents to law enforcement.

Establish a monitoring strategy and supporting policies: Implement an organisational monitoring strategy and policy based on an assessment of the risks.

Monitor all ICT systems: Ensure that the solution monitors all networks and host systems (e.g. clients and servers).

Monitor network traffic: Network traffic should be continuously monitored to identify unusual activity or trends that could indicate an attack.

Removable media controls

Scan all media for malware before importing into the corporate system.

Produce a corporate policy: Implement policy to control the use of removable media for the import and export of information.

Limit the use of removable media: Limit the media types that can be used together with user and system access and the information types that can be stored on removable media.

Scan all removable media for malware: All clients and hosts should automatically scan removable media. Any media brought into the organisation should be scanned for malware by a stand alone scanner before any data transfer takes place.

Home and mobile working

Develop a mobile working policy and train staff to adhere to it.

Protect data both in transit and at rest.

Assess the risks and create a mobile working policy: The policy should cover aspects such as information types, user credentials, devices, encryption and incident reporting.

Educate users and maintain their awareness: Educate users about the risks and train them to use their mobile device securely by following the security procedures.

Apply the secure baseline build: All mobile devices should be configured to an agreed secure baseline build.

Google Docs convert web addresses into Tiny URLs The spreadsheet component of Google Docs provides some useful functions for importing web data into your online documents. For instance, you can use the importFeeds function to manipulate RSS in Googl...

Stupeflix Photo Slideshows in Notepad Creating a video slideshow from photos is easy. Import your image collection into Photo Story (or Windows Movie Maker), choose a music track to play alongside the slideshow and render. Photo Story can...

Adobe Mobile Flash Plugin for iPhone It's been reported that a developer has submitted a Adobe Mobile Flash Plug-in for use on the iPhone. Fans hoping for the plug-in to stay though might be disappointed as it breaks all kinds of agreeme...

Bring Social Network Back by Movable Type Motion These days, many companies are devoting full time resources to monitoring and participating in social networks. As social sites grow in both size and quantity, it becomes increasingly difficult to kee...

Search Documents with DocJax While it is possible to find Office documents and PDF ebooks on the web using the filetype search operator of Google, this method has two drawbacks: 1. You need to download the document in order to...

Disclaimer

The articles on this web site are provided for informational purposes only. pupuweb.com does not accept any responsibility or liability for the use or misuse of the article content on this site or reliance by any person on the site’s contents.

About

Hi! I’m Alex. Thank you for reading the article above. I am a Certified MCITP: SA and EA, CEH, ECHA and ITIL with more than 10 years of experience working in information technology industrial as IT Solution Consultant based in Singapore. If you have any suggestions, tips or feedback, feel free to send me an email: editor@pupuweb.com